Hi Vũ Thị, thank you for your interest in Knot DNS. Let me start with some personal opinion. I think that while query logging is useful for debugging purposes, it's generally not a good idea to have it enabled on any production server.  The reason is performance. While the authoritative DNS server is able to process millions of queries per second, this is usually far beyond any syslog could handle. There are two dangers: 1) your auth DNS server will be slow, 2) your syslog will be vulnerable to get overwhelmed. [Opinions from other DNS users welcome!] The dnstap module is designed accordingly: it does not print out queries in textual representation, and it does not put them into syslog. Instead, it dumps the queries in a portable binary format, and puts them either to a file (that can be later translated into textual form) or a pipe (that can be processed continuously). The users are encouraged to create any useful utilities, that are able to read and process those. The performance of dnstap module is quite good. Nevertheless, some time ago, I created a prototype of querylog module, that simply logs all the queries. It has not been merged to Knot codebase mostly because the lack of interest and lack of good specification. Anyway, it seems to work well even when merged to current master. You might look at it and modify it according to your needs: https://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1154 Unfortunately, I'm not aware of anyone using dnstap in production. Maybe someone on the mailing-list might share their experience? BR, Libor Dne 09.11.20 v 05:06 Vu Thi Hoan napsal(a):